ci: Rename and update the ci.yaml based on the template

[tampakrap]

The template used is crossplane/function-template-go but it is also
based on other functions like crossplane-contrib/function-kcl and
crossplane-contrib/function-go-templating

[tampakrap]

here is a diff between docker-build-push.yaml and ci.yaml

@gotwarlost in the build job I am removing the setup LDFLAGS step, should I bring it back?

--- .github/workflows/docker-build-push.yaml	2025-05-27 13:49:41.219104251 +0200
+++ .github/workflows/ci.yaml	2025-05-27 17:25:26.622985713 +0200
@@ -1,23 +1,83 @@
-name: docker build and push
+name: CI
+
 on:
-  pull_request: {}
   push:
     branches:
       - main
+      - release-*
     tags:
       - '*'
+  pull_request: {}
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Package version (e.g. v0.1.0)
+        required: false

 env:
+  # Common versions
   GO_VERSION: '1.23.1'
-  DOCKER_BUILDX_VERSION: 'v0.11.2'
-  XP_CHANNEL: master
-  XP_VERSION: current
+  GOLANGCI_VERSION: 'v1.63.2'
+  DOCKER_BUILDX_VERSION: 'v0.23.0'
+
+  # These environment variables are important to the Crossplane CLI install.sh
+  # script. They determine what version it installs.
+  XP_CHANNEL: master   # TODO(negz): Pin to stable once v1.14 is released.
+  XP_VERSION: current  # TODO(negz): Pin to a version once v1.14 is released.
+
+  # This CI job will automatically push new builds to xpkg.upbound.io if the
+  # XPKG_ACCESS_ID and XPKG_TOKEN secrets are set in the GitHub respository (or
+  # organization) settings. Create a token at https://accounts.upbound.io.
   XPKG_ACCESS_ID: ${{ secrets.XPKG_ACCESS_ID }}
+
+  # The package to push, without a version tag. The default matches GitHub. For
+  # example xpkg.upbound.io/crossplane/function-template-go.
   XPKG: xpkg.upbound.io/${{ github.repository}}
+  CROSSPLANE_REGORG: ghcr.io/${{ github.repository}} # xpkg.crossplane.io/crossplane-contrib
+
+  # The package version to push. The default is 0.0.0-gitsha.
+  XPKG_VERSION: ${{ inputs.version }}

 jobs:
+  lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false  # The golangci-lint action does its own caching.
+
+      - name: Check go mod tidy
+        run: go mod tidy && git diff --exit-code go.mod go.sum
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: ${{ env.GOLANGCI_VERSION }}
+
+  unit-test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Run Unit Tests
+        run: go test -v -cover ./...
+
+  # We want to build most packages for the amd64 and arm64 architectures. To
+  # speed this up we build single-platform packages in parallel. We then upload
+  # those packages to GitHub as a build artifact. The push job downloads those
+  # artifacts and pushes them as a single multi-platform package.
   build:
-    name: build multi-arch packages
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: true
@@ -26,28 +86,23 @@
           - amd64
           - arm64
     steps:
-      - name: setup QEMU
+      - name: Setup QEMU
         uses: docker/setup-qemu-action@v3
         with:
           platforms: all

-      - name: setup Docker Buildx
+      - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           version: ${{ env.DOCKER_BUILDX_VERSION }}
           install: true

-      - name: checkout
+      - name: Checkout
         uses: actions/checkout@v4

-      - name: setup LDFLAGS
-        run: |
-          LDFLAGS="$(make ci-print-ldflags)"
-          echo "LDFLAGS=${LDFLAGS}">>$GITHUB_ENV
-
       # We ask Docker to use GitHub Action's native caching support to speed up
       # the build, per https://docs.docker.com/build/cache/backends/gha/.
-      - name: build runtime
+      - name: Build Runtime
         id: image
         uses: docker/build-push-action@v6
         with:
@@ -56,21 +111,20 @@
           cache-from: type=gha
           cache-to: type=gha,mode=max
           target: image
-          build-args: |
+          build-args:
             GO_VERSION=${{ env.GO_VERSION }}
-            LDFLAGS=${{ env.LDFLAGS }}
           outputs: type=docker,dest=runtime-${{ matrix.arch }}.tar

-      - name: setup the Crossplane CLI
+      - name: Setup the Crossplane CLI
         run: "curl -sL https://raw.githubusercontent.com/crossplane/crossplane/master/install.sh | sh"

       - name: remove examples from tree
         run: rm -rf examples/

-      - name: build Package
+      - name: Build Package
         run: ./crossplane xpkg build --package-file=${{ matrix.arch }}.xpkg --package-root=package/ --embed-runtime-image-tarball=runtime-${{ matrix.arch }}.tar

-      - name: upload single-platform package
+      - name: Upload Single-Platform Package
         uses: actions/upload-artifact@v4
         with:
           name: package-${{ matrix.arch }}
@@ -79,10 +133,13 @@
           retention-days: 1

   # This job downloads the single-platform packages built by the build job, and
-  # pushes them as a multi-platform package.
+  # pushes them as a multi-platform package. We only push the package it the
+  # XPKG_ACCESS_ID and XPKG_TOKEN secrets were provided.
   push:
     runs-on: ubuntu-24.04
     needs:
+      - lint
+      - unit-test
       - build
     steps:
       - name: Checkout
@@ -93,21 +150,38 @@
         with:
           path: .
           merge-multiple: true
+          pattern: "!*.dockerbuild" # This gets uploaded by docker/build-push-action but must be skipped: https://github.com/actions/toolkit/pull/1874

       - name: Setup the Crossplane CLI
         run: "curl -sL https://raw.githubusercontent.com/crossplane/crossplane/master/install.sh | sh"

-      - name: Set Multi-Platform Package Version
-        run: echo "XPKG_VERSION=$(make ci-print-version)" >> $GITHUB_ENV
-
       - name: Login to Upbound
         uses: docker/login-action@v3
+        if: env.XPKG_ACCESS_ID != ''
         with:
           registry: xpkg.upbound.io
           username: ${{ secrets.XPKG_ACCESS_ID }}
           password: ${{ secrets.XPKG_TOKEN }}
-        if: env.XPKG_ACCESS_ID != ''

-      - name: Push Multi-Platform Package to docker hub
+      # If a version wasn't explicitly passed as a workflow_dispatch input we
+      # default to version v0.0.0-<git-commit-date>-<git-short-sha>, for example
+      # v0.0.0-20231101115142-1091066df799. This is a simple implementation of
+      # Go's pseudo-versions: https://go.dev/ref/mod#pseudo-versions.
+      - name: Set Default Multi-Platform Package Version
+        if: env.XPKG_VERSION == ''
+        run: echo "XPKG_VERSION=v0.0.0-$(date -d@$(git show -s --format=%ct) +%Y%m%d%H%M%S)-$(git rev-parse --short=12 HEAD)" >> $GITHUB_ENV
+
+      - name: Push Multi-Platform Package to Upbound
         if: env.XPKG_ACCESS_ID != ''
         run: "./crossplane --verbose xpkg push --package-files $(echo *.xpkg|tr ' ' ,) ${{ env.XPKG }}:${{ env.XPKG_VERSION }}"
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Multi-Platform Package to GHCR
+        if: env.XPKG_ACCESS_ID != ''
+        run: "./crossplane --verbose xpkg push --package-files $(echo *.xpkg|tr ' ' ,) ${{ env.CROSSPLANE_REGORG }}:${{ env.XPKG_VERSION }}"

[gotwarlost]

OK, let me provide some context first before I answer the question. I completely forgot about this in our meeting earlier.

• Most other functions (probably all of them) only create a docker image for use by the consumer
• In this function we have an additional command-line binary fn-cue-tools that also needs to be shipped with every release.
• So even if the image in the container doesn't contain version info, fn-cue-tools must have this and it should be the same as the version of the image for tagged releases (it is ok if it is different/ not set for PR builds etc.)
• Ideally we would also provide some way for the user to install the binary locally via homebrew or something. But that is not done now and can be taken up in a different PR.

So LD_FLAGS must be set correctly for tagged builds and must match whatever version we claim the release has.

[gotwarlost]

actually since we don't ship binaries as part of releases, it may be ok to leave it out in this PR. But we need a better story longer-term on how this binary is shipped to the user and versioned.

[gotwarlost]

LGTM